2 Chapter 3: Why Traditional Security Solutions Fail to Control Advanced Malware .... 18 Chapter 3: Why Traditional Security Solutions Fail to Control Advanced Malware.. mal-Chapter 3: W
Understanding the
To start, you get some real‐world examples of high‐profile attacks You also get a glimpse into the psyche of a cyber- criminal to understand what motivates such a person, and you take a walk through the threat life cycle — from cradle to well, the targeted network.
The Role of Malware in Cyberattacks
This chapter describes the characteristics of advanced mal- ware and dissects some of these evil critters!
Why Traditional Security Solutions
Security Solutions Fail to Control Advanced Malware
Chapter 3 explains why legacy port‐based firewalls, intrusion prevention systems, and other security solutions are largely ineffective in the fight against advanced attacks.
What Next‐Generation Security
This chapter takes a deep dive into the advanced capabilities and features of next‐generation security and lays out a practi- cal methodology to protect your enterprise from advanced threats and cyberattacks.
Creating Advanced Threat Protection
Chapter 5 explains the importance of developing organiza- tional security policies and controls, and how to implement and enforce those policies with next‐generation security.
Ten Things to Look for in a
Finally, in that classic For Dummies format, the book ends with a Part of Tens chapter chock‐full of security best practices!
And, just in case you get stumped on a technical term or an acronym here or there, I’ve included a glossary to help you sort through it all.
Icons Used in This Book
Throughout this book, you’ll occasionally see special icons that call attention to important information You won’t see any smiley faces winking at you or any other little emoticons, but you’ll definitely want to take note! Here’s what you can expect.
This icon points out information that may well be worth com- mitting to your nonvolatile memory, your gray matter, or your noggin — along with anniversaries and birthdays!
You won’t find a map of the human genome or the secret to the blueprints for the next iPhone here (or maybe you will, hmm), but if you seek to attain the seventh level of NERD‐ vana, perk up! This icon explains the jargon beneath the jargon and is the stuff legends — well, nerds — are made of!
Thank you for reading, hope you enjoy the book, please take care of your writers! Seriously, this icon points out helpful suggestions and useful nuggets of information.
Proceed at your own risk well, okay — it’s actually nothing that hazardous These useful alerts offer practical advice to help you avoid making potentially costly mistakes.
Where to Go from Here
With our apologies to Lewis Carroll, Alice, and the Cheshire cat:
“Would you tell me, please, which way I ought to go from here?”
“That depends a good deal on where you want to get to,” said the Cat — er, the Dummies Man.
“I don’t much care where ,” said Alice.
“Then it doesn’t matter which way you go!”
That’s certainly true of Cybersecurity For Dummies, Palo Alto 2nd Edition, which, like Alice in Wonderland, is destined to become a timeless classic!
If you don’t know where you’re going, any chapter will get you there — but Chapter 1 may be a good place to start! However, if you see a particular topic that piques your interest, feel free to jump ahead to that chapter Each chapter is individually wrapped (but not packaged for individual sale) and written to stand on its own, so feel free to start reading anywhere and skip around! Read this book in any order that suits you (though I don’t recommend upside down or backward) I promise that you won’t get lost falling down the rabbit hole!
▶Seeing the threat through real‐world examples
▶Understanding how cybercriminals have changed
F or many years, the security industry was seen as Chicken
Little, telling anyone who would listen that “the sky was falling” and that cybercriminals were trying to steal their most precious information For the most part, that simply wasn’t the case Attackers were largely creatures of opportunity seeking the path of least resistance — if they encountered a secured network, they were likely to move on, looking for a softer target But today’s cybercriminals are highly motivated professionals — often well‐funded by criminal organizations or nation‐states — who are far more patient and persistent in their efforts to break through an organization’s defenses.
In this chapter, you find out why cybercriminals are more dangerous than ever before.
Malware is malicious software or code that typically damages or disables, takes control of, or steals information from a com- puter system Malware broadly includes adware, backdoors, bootkits, logic bombs, rootkits, spyware, Trojan horses, viruses, and worms.
Understanding the Cybersecurity
The State of Today’s Intrusions
Today’s threats are more sophisticated and equal opportunity than ever before All types of organizations and information are being targeted More and more attacks are increasingly coming to fruition, producing a steady stream of high‐profile, sophisticated breaches and intrusions, including
✓Target (customer information): In December 2013, an intruder compromised Target’s network by stealing a third‐party vendor’s credentials and gaining access to Target’s network through its heating, ventilation, and air‐ conditioning (HVAC) system The retailer’s point‐of‐sale (POS) systems were not properly segmented from other systems (such as industrial systems) on the network, so the attacker was able to move freely from system to system on the network, installing malware on nearly all of Target’s POS devices in stores across the country, and gaining access to more than 70 million customer records and credit card numbers.
✓Sony Pictures (intellectual property): In November 2014, attackers posted unreleased films and sensitive infor- mation pertaining to employees, including executives, online Though initially attributed to nation‐state hackers in North Korea, it was later alleged that these attacks were launched via a spear‐phishing attack by cyber- criminals in Russia and Ukraine These attacks not only delayed releases of several Sony films, but also publicly embarrassed several Sony executives.
✓U.S Office of Personnel Management (employee infor- mation): In June 2015, the U.S government’s Office of
Personnel Management (OPM) discovered that attack- ers had infiltrated their databases by exploiting numer- ous vulnerabilities, and were sending large data files to destinations outside the organization’s network OPM estimates that personal data (including Social Security numbers) of more than 4 million current, former, and pro- spective federal employees was stolen, but FBI Director James Comey estimates that as many as 18 million records may have been compromised.
✓Anthem Blue Cross (customer information): In February
2015, the second largest health insurer in the United States publicly disclosed that attackers had breached
Chapter 1: Understanding the Cybersecurity Landscape 7 its servers and stolen as many as 80 million customer records containing personal data and Social Security numbers The attack is suspected to have been carried out by state‐sponsored hackers in China, using malware to exploit Adobe Flash vulnerabilities, and may have gone undetected for almost two months before being discovered by a database administrator whose logon credentials were being used to run a suspicious database query.
✓Lenovo (hacktivism): In February 2015, Lizard Squad, a loosely organized hacktivist group, hijacked computer manufacturer Lenovo’s website and redirected customers to a site that posted selfie slideshows (allegedly of the hackers themselves) This incident caused further repu- tation damage for Lenovo, which had recently disclosed that it had pre‐installed Lenovo laptops with Superfish malware, an adware program that hijacks encrypted con- nections and facilitates man‐in‐the‐middle attacks.
Spear phishing is a targeted phishing campaign that appears more credible to its victims by gathering specific information about the target, and thus has a higher probability of success
A spear‐phishing email may spoof an organization (such as a financial institution) or individual that the recipient actually knows and does business with, and may contain very specific information (such as the recipient’s first name, rather than just an email address).
Spear phishing, and phishing attacks in general, are not always conducted via email A link is all that’s required, such as a link on Facebook or on a message board or a shortened URL on Twitter These methods are particularly effective in spear phishing because they allow the attacker to gather a great deal of information about the targets and then lure them into dangerous clicks in a place where the users feel comfortable Security awareness training and well‐defined processes are an important element in preventing attacks that leverage these delivery tactics and other social‐engineering techniques.
Given its flexibility and ability to evade defenses, advanced malware presents an enormous threat to the organization Advanced malware is virtually unlimited in terms of functionality — from sending spam to the theft of classi- fied information and trade secrets The ultimate impact of advanced malware is largely left up to the attacker, from send- ing spam one day to stealing credit card data the next — and far beyond, as many cyberattacks go undetected for months or even several years For example, the Home Depot security breach of 2014 went undetected for five months and resulted in the compromise of more than 56 million payment cards.
Advanced malware is a key component of targeted, sophis- ticated, and ongoing attacks, and it can be customized to compromise specific high‐value systems in a target network
In these cases, an infected endpoint inside the network can be used to steal login credentials and initiate lateral movement in order to gain access to protected systems and to establish backdoors in case any part of the intrusion is discovered.
These types of threats are almost always undetectable by tra- ditional signature‐based antivirus software on the endpoint They represent one of the most dangerous threats to organi- zations because they’re specifically created with custom com- ponents designed to bypass known security technologies and leverage vulnerabilities and weaknesses within the targeted organization These attacks target the organization’s most valuable information, such as research and development, intellectual property, strategic planning, financial data, and customer information, and are typically well financed, as the return on investment is typically more than 1,000 percent.
Carbanak: The Great Bank Robbery
Carbanak is one of the latest exam- ples of a targeted attack that began in August 2013 and is currently still active The attackers sent spear‐ phishing emails with malicious CPL attachments or Word documents exploiting known vulnerabilities
Once inside the victim’s network, money is extracted Each raid has lasted two to four months To date the attackers have targeted up to 100 financial institutions, causing aggre- gated losses estimated at $1 billion.
Chapter 1: Understanding the Cybersecurity Landscape 9
Bots (individual infected endpoints) are often used in dis- tributed denial‐of‐service attacks (DDoS) — to overwhelm a target server or network with traffic from a large number of bots In such attacks, the bots themselves are not the target of the attack Instead, the bots are used to flood some other remote target with traffic Of course, it usually takes an army of bots, known as botnets, to bring down a target network or server, The attacker leverages the massive scale of the botnet to generate traffic that overwhelms the network and server resources of the target DDoS attacks often target specific companies for personal or political reasons, or to extort pay- ment from the target in return for stopping the DDoS attack.
Botnets themselves are dubious sources of income for cyber- criminals Botnets are created by cybercriminals to harvest computing resources (bots) Control of botnets (through CnC servers) can then be sold or rented out to other cybercrimi- nals for various nefarious purposes.
What Next‐Generation
critical component of controlling cyberattacks and the threats they pose.
A next‐generation firewall performs a true classification of traffic based not simply on port and protocol, but on an ongo- ing process of application analysis, decryption, decoding, and heuristics These capabilities progressively peel back the layers of a traffic stream to determine its true identity (see Figure 4‐1) The ability to pinpoint and analyze even unknown traffic — without regard to port or encryption — is the defining characteristic of a true next‐generation firewall and is invaluable in the fight against advanced malware, exploits, and other sophisticated threats.
Cybercriminals thrive on their ability to blend in with approved or “normal” traffic The quality of your visibility into that traffic is one of your most critical assets.
Additionally, the next‐generation firewall provides a fully integrated approach to threat prevention in a unified con- text: true coordination of multiple security disciplines (for example, application identity, malware and exploit detection, intrusion prevention, URL filtering, file type controls, and con- tent inspection), as opposed to simply co‐locating them on the same box This integration provides a far more intelligent Figure 4-1: Traffic classification in a next‐generation firewall.
Chapter 4: What Next‐Generation Security Brings to the Fight 35 and definitive understanding of malware than any individual technology can provide by itself — and is needed in order to see and understand the telltale signs of unknown threats.
One of the most important steps that an organization can take to control advanced malware is to reduce attack vectors and eliminate the ability for malware to hide in the network Today the majority of vectors used by malware are virtually unchecked, and malware traffic is typically small enough to easily blend into the background of “normal” network traffic
By regaining full visibility and control of exactly what traffic is allowed into the network and why, security teams can accomplish both of these goals.
Enforcing positive control is essential in the fight against mal- ware Positive control greatly reduces the attack surface and mitigates overall risk Thus, an important first step for the organization is to return to a positive control model Positive control simply means allowing only the specific applications and traffic you want, instead of trying to block everything that you don’t want.
Positive control has long been a defining characteristic of network firewalls that separates them from other types of network security devices But positive control also needs to extend to endpoints, mobile devices, and cloud environ- ments alike Your goal is to identify and reduce the attack and threat vectors across your entire environment and tailor protections — including private and public cloud segmenta- tion, virtual firewalls, and SaaS applications — against each, while maintaining a consistent and effective security policy.
For example, if you want to permit Telnet, you allow TCP port
23 through your firewall Unfortunately, traditional firewalls cannot properly delineate other applications and protocols that may also be using port 23 Applications and malware now use nonstandard, commonly open ports (for example, TCP port 80, 443, and 53) or simply hop between any available open ports to evade traditional firewalls.
Extending positive control to include all applications, irre- spective of port, is not as easy as simply flipping a switch Employees may use certain applications that don’t have a readily apparent business value Additionally, some applica- tions may be used for both personal and work purposes For example, Facebook can be used for social networking, but it has also become an increasingly important tool for many com- pany marketing, sales, and recruiting initiatives.
As such, organizational IT security teams should consult appropriate groups and departments within the organization to determine approved applications and uses and to establish appropriate policies These policies should allow only certain users to access specific applications, or limit the use of spe- cific applications to certain approved features.
To reduce the attack surface on the network, in virtual envi- ronments and on endpoints, organizations must
✓Enforce positive control of all network traffic to prevent unnecessary or high‐risk traffic, even when encryption or port evasion techniques are used to hide the traffic.
✓Establish policies for approved applications and uses based on work needs and culture, by determining
• What applications and protocols are in use on the network, on endpoints and in the cloud
• What applications are required for work and who needs to use them
• What dual‐use or personal applications does the organization want to allow
• What data can be shared across IT and non‐IT applications
• What devices can connect to your network and how you ensure that they comply with your security policies
Chapter 4: What Next‐Generation Security Brings to the Fight 37
Control advanced malware‐ enabling applications
Applications are an indispensable part of the cyberattack life- cycle, and are critical to both the initial infection of the target endpoint and the ongoing command and control of the attack Invariably, applications and data can reside both within an organization’s network and outside of it — on endpoints and within public cloud environments.
The association between malware and applications is not new
In the past, the de facto enabling application for malware was organizational email From a security perspective, viruses and email simply went hand‐in‐hand Although email is still used by attackers, it has lost some of its luster, as email security has become a focal point for many organizations Attackers have shifted much of their attention to softer target applica- tions that interact with users in real‐time and provide far more threat opportunities Attackers have gravitated to applications that facilitate social engineering while hiding the presence of compromise Social networking and personal use applications meet both of these criteria, and are among the most common sources for malware infection and subsequent command and control (see Figure 4‐2) These applications include social networking, web‐based email, instant message (IM), peer‐to‐ peer (P2), and file transfer Additionally, targeted attacks will use more work‐related protocols and applications, such as Microsoft Word documents and other non‐executable files.
Figure 4-2: Preferred social networking/personal use applications and techniques for advanced malware.
Phishing attacks that utilize email applications are still heavily used by attackers to trick users into clicking malicious links or disclosing sensitive information.
These applications are designed to easily share information in a variety of ways, and people often use them with an implied trust and a more cavalier attitude because they may be accus- tomed to using them outside the office This provides an attacker with a multitude of infection opportunities.
One of the main drivers for SSL‐ encrypted traffic is the need to pro- tect communications to and from different sites and applications on the Internet Twitter has recently joined the ranks of fellow social media giants Facebook and Google by moving to more widespread and default use of SSL to protect their end‐users’ information Twitter recently announced that users can set a preference to secure all Twitter communication via HTTPS, which will in time become the default set- ting for the Twitter service Such default SSL policies actually make it easier for malware to remain hidden by making it necessary to decrypt and inspect everything that traverses the network.
This shift to default SSL encryption highlights a very real and important challenge for organizational security that boils down to this:
✓ Web‐based email applications, like Gmail and Yahoo! Mail also use SSL to encrypt communica- tions, and are heavily used in both opportunistic and targeted attacks.
✓ Organizations that lack the abil- ity to dynamically look within or enforce security on SSL‐ encrypted communications are more or less blind to this poten- tially malicious traffic.
The ramifications for organizational security are clear: If you can’t con- trol social media and webmail — and specifically applications that are SSL‐encrypted — then you’re leav- ing a clear path open for malware to get into and out of your network The shift to SSL by default provides a moderate improvement in privacy for the users, but in the process makes the organization far more vulnerable to targeted attacks, lost data, and compromised systems.
Chapter 4: What Next‐Generation Security Brings to the Fight 39
Social applications also present an ideal environment for social engineering, enabling an attacker to impersonate a friend or colleague, for example, to lure an unsuspecting victim into clicking a dangerous web link For all their sophis- tication, malware infections continue to rely on enticing an unsuspecting user into performing an ill‐advised action, such as clicking a malicious link Instead of opening an email attach- ment, the click may be a link in a tweet or on a Facebook page that appears to be from a friend Cross‐site scripting can populate dangerous links among friends, and packet sniffing technologies such as FireSheep allow attackers to take over social‐networking accounts.